Windows physical memory acquisition and analysis

Matthieu Suiche

// july 24 - 27

USA 2010 Weekend Training Session //CANCELLED

USA 2010 Weekday Training Session //July 26-27

Overview:

In this live incident reponse and forensics course, students will learn using software based acquisitions methods about different full memory dump file format (Microsoft Hibernation file, Microsoft crash dump, and raw dump). Using MoonSols Windows Memory Toolkit (win32dd, win64dd, hibr2dmp, hibr2bin, dmp2bin, bin2dmp, ..). Students will learn the difference between hardware and software acquisition method. Based on this, they will learn how to do advanced analysis of these dumps, such as the hibernation file, using free Microsoft Debugger WinDbg. The analysis part of the training will explain basis of processor memory management, Windows memory and process management internals, WinDbg SDK and scripting. At the end of the course, students will be able to analyze a Windows Hibernation File from Windows 7 x64 with WinDbg.

Course Outline:

DAY 1: Acquisition

How to obtain memory dumps and how it works.

Description of main memory dumps file format

- Raw dump

- Full memory crash dump

- Hibernation file

How to use and internals of Win32dd and Win64dd utilities.

Introduction to and how to use MoonSols memory toolkit (provided by teacher) to illustrate previous points by converting a Microsoft hibernation file into a Microsoft crash dump loadable by Windbg.

DAY 2: Analysis

Using Windbg.

Processor Memory Translation (Translation of virtual addresses into physical address on both x86 and x64 architecture)

Windows Memory Manager internals

Windows Process Manager internals

Identification of active, hidden and exited processes

Dynamic Libraries (Dlls)

Files, Handles, Objects

Registry in memory

Brief introduction to WinDbg SDK and scripting

Teaching Methods:

The course will be alternate with lectures to explain basis, with demonstrations to give a visual representation and with hands-on-labs to verify the knowledge and practice it.

Students will run utilities from MoonSols Memory Toolkit (provided by the trainer) on their system to acquire memory dumps, and they will work with memory dumps provided by the trainer (e.g. Win7 x64 Hibernation File). Microsoft Windbg will also be used.

prerequisites:

Students must know the difference between Kernel-land and User-land, what RAM or Physical Memory is, and must have used WinDbg at least one time.

Matthieu has been a speaker during various security conferences such as PacSec, BlackHat USA, EUROPOL High Tech Crime Meeting, Shakacon, CanSecWest, BH DC etc. Prior to starting in 2010 MoonSols, a computer security and kernel code consulting and software company, Matthieu worked for companies such as E.A.D.S. (European Aeronautic Defence and Space Company) and the Netherlands Forensics Institute of the Dutch Ministry of Justice.